Presentation on theme: "Information Assurance: A Personal Perspective"— Presentation transcript:
1Information Assurance: A Personal Perspective Ravi Sandhu
2AgendaSelected highlights from my 25+ years in this business (roughly chronological wrt start)Typed Access Matrix (TAM) ModelMultilevel Relational (MLR) ModelRole-Based Access Control (RBAC)Policy-Enforcement-Implementation (PEI) LayersUsage Control (UCON) ModelTriCipher Authentication LadderSelected ongoing research projectsAssured Information Sharing Enabled by Trusted ComputingPerspective on the future of Information AssuranceQ&A
3Safety in Access Control: Access Matrix Model (Lampson, 1971) Objects (and Subjects)FGr wownSubjectsUrr wownVrights
4Safety in Access Control: HRU Model (1976) Theorem 1. Safety in HRU is undecidableTheorem 2. Safety in monotonic mono-operational HRU is undecidable
5Safety in Access Control: TAM Model (Sandhu, 1992) Theorem 1. Safety in TAM is undecidableTheorem 2. Safety in monotonic acyclic ternary TAMis polynomially decidable
6Safety in Access Control: From HRU to TAM HRU (HRU 1976)Take-Grant (JLS 1978)SSR (Sandhu 1983)SPM (Sandhu 1988)ESPM (Ammann-Sandhu, 1990)TAM (Sandhu, 1992)
18TriCipher Authentication Ladder: Underlying Science 2-key RSAPrivate key: d (used to sign)Public key: e (used to verify signature)3-key RSANet effect: as though single private key d was used to sign, BUTPrivate key: d1 (used by user to partially sign)Private key: d2 (used by TACS server to partially signature)
19TriCipher Authentication Ladder: Underlying Science e * d = 1 mod phi(n)d1 * d2 = d mod phi(n)Stored on TACS server and used to partially sign on behalf of authenticated userConstructed on client PC from multiple factors under control of userpasswordrandomstring 1randomstring 2…
20Assured Information Sharing Enabled by Trusted Computing (Ongoing work) Secure InformationSharing (IS)“Share but Protect”“Mother of all Security Problems”Policy-Enforcement-Implementation Layers (PEI)&Usage Control Models (UCON)TrustedComputing (TC)
21What is Trusted Computing (TC)? Basic premiseSoftware alone cannot provide an adequate foundation for trustOld style Trusted Computing (1970 – 1990’s)Multics systemCapability-based computersIntel 432 vis a vis Intel 8086Trust with security kernel based on military-style security labelsOrange Book: eliminate trust from applicationsWhat’s new (2000’s)Hardware and cryptography-based root of trustTrust within a platformTrust across platformsRely on trust in applicationsNo Trojan Horses orMitigate Trojan Horses and bugs by legal and reputational recourseMassive paradigm shiftPrevent information leakage by binding information to Trusted Viewers on the client
22What is Information Sharing? The mother of all security problemsShare but protectRequires controls on the clientServer-side controls do not scale to high assuranceBigger than (but includes)Retail DRM (Digital Rights Management)Enterprise DRM
23What is Information Sharing? Strength of EnforcementContent type and valueWeakMediumStrongSensitive and proprietaryPassword-protected documentsSoftware-based client controls for documentsHardware based trusted viewers, displays and inputsRevenue drivenIEEE, ACM digital libraries protected by server access controlsDRM-enabled media players such as for digital music and eBooksDongle-based copy protection, hardware based trusted viewers, displays and inputsSensitive and revenueAnalyst and business reports protected by server access controlsRoshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.
24With current state of knowledge the information sharing space FunctionalityStrength of enforcementSimpleComplexWeak/MediumStrongLegally enforceable versus system enforced rights.Reliance on legal enforcement;Limited system enforced controls.Strong system- enforceable rights, revocable rights.Dissemination chains and flexibility.Limited to one-step disseminations.Flexible, multi-step, and multi-point.Mostly legal enforcement;System enforceable controls.Object types supported.Simple, read-only and single-version objects.Support for complex, multi-version objects.Support for object sensitivity/confidentiality.Reliance on legally enforceable rights.System supported and enforceable rights and sanitization on multiple versions.Persistence and modifiability of rights and licenses.Immutable, persistent and viral on all disseminated copies.Not viral and modifiable by recipient.System enforceable.Online versus offline access and persistent client-side copiesNo offline access and no client-side copies.Allows offline access to client-side copies.Few unprotected copies are tolerated.No unprotected copies are tolerated.Usage controlsControl of basic dissemination.Flexible, rule-based usage controls on instances.Some usage abuse allowed.No potential for usage abuse.Preservation of attribution.Recipient has legal obligation to give attribution to disseminator.System-enabled preservation and trace- back of the attribution chain back to original disseminator.Attribution can only be legally enforced.Attribution is system enforced.RevocationSimple explicit revocations.Complex policy-based revocation.No timeliness guarantees.Guaranteed to take immediate effect.Support for derived and value-added objects.Not supported.Supported.System enforceable rights for derived and valued-added objects.Integrity protection for disseminated objects.Out of band or non-crypto based validation.Cryptographic schemes for integrity validation.Off-line validation.High-assurance cryptographic validation.AuditAudit support for basic dissemination operations.Additional support for the audit of instance usage.Offline audit analysis.Real-time audit analysis and alerts.PaymentSimple payment schemes (if any).Multiple pricing models and payment schemes including resale.Tolerance of some revenue loss.No revenue loss; Objective is to maximize revenue.With current state of knowledgethe information sharing spaceis too complex to characterizein a comprehensive mannerLook for sweet spots thatare of practical interestand where progress (andkiller products) can be madeRoshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.
25Classic Approaches to Information Sharing Discretionary Access Control (DAC), Lampson 1971Fundamentally brokenControls access to the original but not to copies (or extracts)Mandatory Access Control (MAC), Bell-LaPadula 1971Solves the problem for coarse-grained sharingThorny issues of covert channels, inference, aggregation remain but can be confrontedDoes not scale to fine-grained sharingSuper-exponential explosion of security labels is impracticalFallback to DAC for fine-grained control (as per the Orange Book) is pointlessOriginator Control (ORCON), Graubart 1989Propagated access control lists: let copying happen but propagate ACLs to copies (or extracts)Not very successful
26Modern Approach to Information Sharing Prevent leakage by binding information to Trusted Viewers on the clientUse a mix of cryptographic and access control techniquesCryptography and Trusted Computing primitives enable encapsulation of content in a Trusted ViewerTrusted Viewer cannot see plaintext unless it has the correct keysAccess control enables fine-grained control and flexible policy enforcement by the Trusted ViewerTrusted Viewer will not display plaintext (even though it can) unless policy requirements are metEnables policy flexibility and policy-mechanism separation